This helped me big time finding failed logon attempts: [WayBack] Event Log Hell (finding user logon & logoff) – Ars Technica OpenForum
Alternatively, you can use the XPath query mechanism included in the Windows 7 event viewer. In the event viewer, select “Filter Current Log…”, choose the XML tab, tick “Edit query manually”, then copy the following to the textbox:
Code:<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[EventID=4624] and EventData[Data[@Name='TargetUserName'] = 'USERNAME']]</Select>
</Query>
</QueryList>
This selects all events from the Security log with EventID 4624 where the EventData contains a Data node with a Name value of TargetUserName that is equal to USERNAME. Remember to replace USERNAME with the name of the user you’re looking for.
If you need to be even more specific, you can use additional XPath querying – have a look at the detail view of an event and select the XML view to see the data that you are querying into.
Thanks user Hamstro!
Notes:
- you need to perform this using
eventvwr.exe
running as an elevated process using an Administrative user CUA token. USERNAME
needs to be the name of the user in UPPERCASE.- replacing
TargetUserName
withsubjectUsername
(as suggested by [WayBack] How to Filter Event Logs by Username in Windows 2008 and higher | Windows OS Hub) fails. - there are more relevant EventID values you might want to filter on (all links have screenshot and XML example of an event):
- [WayBack]
4624
(S) An account was successfully logged on. (Windows 10) | Microsoft Docs - [WayBack]
4625
(F) An account failed to log on. (Windows 10) | Microsoft Docs - [WayBack]
4626
(S) User claims information./Device claims information. (Windows 10) | Microsoft Docs - [WayBack]
4634
(S) An account was logged off. (Windows 10) | Microsoft Docs - [WayBack] 4647(S) User initiated logoff. (Windows 10) | Microsoft Docs
- [WayBack] 4648(S) A logon was attempted using explicit credentials. (Windows 10) | Microsoft Docs
- [WayBack]
4797
(An attempt was made to query the existence of a blank password for an account) At the time of writing, it was undocumented, but it seems to be part of an account checking process as per [WayBack] Windows 8 Event ID 4797 in Security Log:
That means that an application or service makes an attempt to query the accounts which have blank password. I think some security software may make such request.
- [WayBack]
- blank (empty passwords) can only be used for local logon, so they disable network logon. That can be a useful security strategy.
Related:
- [WayBack] How to search the Windows Event Log for logins by username
- [WayBack] Active Directory – How to Find Failed Logon Requests – geekmungus
- [WayBack] Audit Failure – Suspicious Activity On A Server – IT Security – Spiceworks
–jeroen